postfix-users May 2014 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: Disabling Anonymous Diffie Hellman

Re: Disabling Anonymous Diffie Hellman

From: Viktor Dukhovni <postfix-users_at_nospam>
Date: Tue May 20 2014 - 14:38:50 GMT

On Tue, May 20, 2014 at 02:21:22PM +0000, Viktor Dukhovni wrote:

> Please change your site to reflect the correct risk model (opportunistic
> TLS). You should also add support for DANE, so that DANE-capable
> MTAs are not mis-identified as insecure (for example DANE-EE(3)
> certificate usage obviates the need for the hostname to match).

I can help you with the DANE implementation if you are interested.
[ I provided the DANE verification library for the NIST site that
does DANE verification of HTTPS sites. ]

Please do not assign negative scores to server support for ADH and
AECDH ciphersuites, even HTTPS servers should support these (to
discover clients that do, and perhaps offer them reduced access to
sensitive content). It is a common mistake to equate aNULL use in
servers with aNULL use in clients. As you might have discerned,
I am not a fan of sloppy analysis by "analogy", and not shy about
refuting it.

-- Viktor.